The Coworker With Full Access to Your Data May Not Be a Real Person
Here's something that will rearrange how you think about workplace security: the most dangerous person inside a company might not be a disgruntled employee who goes rogue. It might be someone who was never a real person at all.
Checking someone's ID once at hiring is no longer enough — AI can now manufacture an entire fake person who sails through onboarding and holds trusted access for months or years without anyone noticing.
A new paper from the Intelligence and National Security Alliance, covered by Homeland Security Today, landed on a finding that should make every HR department, IT administrator, and hiring manager uncomfortable: the people most likely to slip through weak identity checks aren't top-secret government contractors. They're the IT support tech. The accounts payable clerk. The remote contract worker managing your company's software systems. Everyday roles with serious access — and surprisingly thin identity checks at the door.
The Gap Nobody Talks About
We tend to imagine insider threats as dramatic — the spy, the saboteur, the angry employee. But the paper points to something quieter and more structural. Organizations that handle classified work often run rigorous, ongoing background investigations on cleared personnel. The checks are deep, repeated, and continuous.
But here's the gap: plenty of people in non-cleared roles — think IT contractors, finance staff, HR administrators — have access to systems that are just as sensitive. Source code. Customer payment data. Personnel records. Medical files. And those people? They often pass through a single identity check at onboarding and are never formally re-verified again, even as their access quietly grows over time.
This isn't a criticism of any one company. It's how most organizations are built. The mental model treats identity like a light switch — either you're verified or you're not. Once you're in, you're trusted. Forever.
That model made some sense when identity fraud meant someone showing up with a fake driver's license. It doesn't hold up anymore.
When the Fake Person Actually Passes the Check
This is where things get genuinely strange — and worth understanding carefully. This article is part of a series — start with Your Kids Birthday Photo Is All A Stranger Needs And It Take.
AI can now build what researchers call a synthetic identity (basically, a fake person assembled from fabricated and sometimes real pieces — a generated face, a plausible name, a constructed work history, documents that look right). Not a stolen identity. Not someone else's real information. A person who was invented from scratch, designed specifically to pass the checks a hiring process runs.
Now, you might think: okay, but wouldn't a face verification system catch a fake face? This is the part that takes a second to absorb.
Traditional fraud might involve someone holding a fake photo up to a camera — old-school stuff. Modern attacks don't do that. They use what security researchers call injection attacks — where the synthetic video or image is fed directly into the verification software's data pipeline, bypassing the camera entirely. The system never "sees" a person. It just receives a stream of data that claims to be a person, and that data is internally consistent: the face matches the document, the document matches the name, the name matches the work history. Everything checks out. Because it was all built together to check out.
There is no real person behind any of it. But the system has no way to know that.
According to Recorded Future, synthetic identity document fraud rose 300% in just the first quarter of 2025. Deepfake-enabled fraud more broadly has increased more than tenfold since the start of 2024. These aren't gradual trends. This is a specific attack method that is scaling fast, right now.
"Unlike traditional presentation attacks that replay manipulated media on a screen, injection attacks feed synthetic media directly into the verification pipeline — an identity verification system can match a synthetic face to a synthetic document without ever detecting that neither is real." — as reported by Biometric Update
Why This Is Harder to Catch Than a Stolen Identity
Think about what happens when a real employee goes bad. There's a paper trail. Past managers. References you can call. A face that matches a person who has existed for decades. When something goes wrong, investigators can reconstruct what happened — emails, access logs, a real human being to question or prosecute.
A synthetic insider has none of that. There is no person to interview. No prior employer to call. No address where someone actually lives. When access logs show suspicious behavior and security teams go to pull the thread, they find nothing on the other end. The identity just... stops existing. Which means whoever was operating behind that fake identity can walk away clean. Previously in this series: You Only Have One Face A Court Just Ruled You Get To Control.
Think of it like a border crossing. Normal security checks your passport once when you arrive, then waves you through for the next five years — even if you access the treasury, the server room, and the personnel database along the way. The initial check happened in seconds. The damage accumulates in silence.
And here's the uncomfortable kicker: the synthetic identity doesn't need to do anything dramatic to be dangerous. It can simply exist — collecting access permissions, sitting inside systems, quietly building a foothold — until whoever controls it decides to use it. Or sell it.
The Misconception That's Making Organizations Vulnerable
Most people — including most people running hiring processes — think of identity verification as a one-time gate. You show up. You show your ID. You pass a background check. You're done. Verified. Trusted. Indefinitely.
It's an easy mental model to fall into, and honestly, it's not unreasonable given how verification used to work. A background check on a real person with a real history was genuinely hard to fake. The assumption that passing once meant you were legitimate made sense.
What the INSA paper argues — and what the data supports — is that identity is not a fixed state. It's a relationship that needs to be maintained and refreshed, especially as someone's access grows. The IT contractor who joined your company to manage email servers should not automatically be trusted to export the customer database six months later just because they passed onboarding. Those are different risk levels. They deserve different levels of re-verification.
The paper recommends what researchers call risk-based identity verification — a framework where the intensity of the identity check matches the level of access being granted. Low-risk access, lighter check. High-risk access — touching financial records, sensitive data, admin controls — higher scrutiny, and potentially periodic re-verification as access changes. Not bureaucracy for its own sake. Checkpoints that are proportional to what's actually at stake.
What You Just Learned
- 🧠 Synthetic identities aren't stolen identities — they're fully invented people, built from scratch to pass verification systems, with no real human behind them
- 🔬 Injection attacks bypass cameras entirely — fake video and images are fed directly into software pipelines, so a system can verify a face that was never in front of any camera
- ⚠️ Non-cleared roles are the soft target — IT, finance, and admin staff often have serious system access but face weaker identity checks than roles with formal security clearances
- 💡 One-time verification is the core problem — identity is not static; access levels change, and checks need to keep pace with what someone can actually reach
What This Actually Means for You
So why should this matter to someone who isn't running a security team or a government agency? Up next: App Store Age Verification Scotus 28 States.
Because you're on the other side of this. You're the employee whose HR records sit in a system someone else can access. The customer whose payment data lives in a database. The patient whose medical history is behind a login. Every weak identity check somewhere in that chain is a door that the wrong person — or no real person at all — could have walked through.
At CaraComp, this is exactly the kind of problem that facial recognition and biometric verification (using your face, voice, or fingerprints — the physical stuff that's uniquely yours and can't be emailed to someone else) are designed to address. Not as a one-time gate, but as a continuous signal. Did the person accessing this system right now match the person verified at onboarding? Is the same face showing up consistently, or are there anomalies worth examining? Identity as a living check, not a stamp you get once.
When your bank asks you to re-scan your face before a large transfer, or your employer's system asks for a second verification before you access a sensitive file — that friction you might find mildly annoying? It's the system doing exactly what the INSA paper is asking for. A checkpoint proportional to the risk of what you're about to touch.
Identity verification isn't a front-door formality you finish at onboarding — it's a continuous check that should get stricter the more sensitive the access. One weak check at hiring can hand trusted, long-term access to someone — or something — that was never real to begin with.
Here's the question worth sitting with: if your organization discovered tomorrow that someone in IT had been operating under a synthetic identity for the past eight months — with full access to your systems — would your current processes have caught it? If the honest answer is "probably not," you're not alone. But you're also not without options. The fix isn't paranoia. It's just matching the weight of your identity checks to the weight of what's actually at stake.
One check at the door was never enough to protect what's behind it.
Ready for forensic-grade facial comparison?
Full forensic reports with detailed similarity scoring. Results in seconds.
Run My First SearchMore Education
That "Urgent" Call From Your Boss? The Voice Is Fake — And It Cost $1.33 to Make
A theater show at Edinburgh Fringe is teaching deepfake safety better than most corporate training programs—because it puts you under pressure, not just in front of a slideshow. Here's the lesson that could actually protect you.
digital-forensicsOnly 1 in 1,000 People Can Spot a Deepfake — Here's the 30-Second Habit That Actually Protects You
A 2025 study found only 1 in 1,000 people could correctly identify all deepfake content — even when told to look for it. Here's why your eyes are no longer a reliable defense, and what to do instead.
biometricsThat "Grandson" Begging You for Money Tonight? Hang Up and Call Him Back.
Nearly 9 in 10 older adults worry about deepfake scams — but most are preparing for the wrong threat. The real defense has nothing to do with your eyesight and everything to do with one simple habit.
